[Oisf-users] Suricata and flowint

[Martin Holste]

> First off, the content is encrypted according to Dell Secureworks.
> And if you look at it, it is always random to the human eye... So
> there is no content to match on.

Ok, got it.


> "...Second, Gheg is one of the few botnets that encrypt traffic from the
> command and control servers using a nonstandard SSL connection on port 443.

Ah, that's probably the place for a sig, then.  I'll mention Bro again
here because I do want to encourage Suricata users to run both, as
they do different and complimentary things.  Specifically, Bro has an
entire SSL subsystem that goes well beyond either Snort or Suricata
and will probably be great at detecting this.  Bro ships with the
Mozilla default SSL certificates, and out of the box, will alert on
any SSL connections that are using certs that a standard Firefox
browser wouldn't trust, complete with certificate chain walking.  If
nothing else, use Bro to log all SSL certs observed in transit and
combine that with your Suricata sigs to zero in on the anomalies.

Bro and Suricata together create a great information feedback loop in
which they inform the other.  Suricata has superior raw pattern
matching and is great for initial alerts, and Bro has deep
application-level logging capabilities, especially with SSL and SMTP,
to provide full context to alerts.

> I might privately share a pcap that you can look at, and tell me how you
> will sig that with Bro. Would be good to see and to learn more about Bro.

Sure, send it to me and hopefully I can send you back an example of
how to detect the weird SSL.

> The blog post was ment as a hack to get something done in suricata, that
> has not been done before (and snort), to inspire people to think out of
> the box and maybe use tools in a different way then "normal". And maybe
> it is a good way to go or to have in an IDS.
>

It's always great to see illustrations of the features provided, and
it was a nice introduction to the flowint system.